10-16-2009 12:27 PM
Hello.
I have to develop a simple web-application, that will enable users to reset their forgotten passwords or to unlock themselves, if they are locked because of too many failed login-attempts.
As you can imagine, this application must not require a login. For security reasons any action has to be logged.
The username can not be used for logging-purposes, as the application is executed using a default-user defined in transaction SICF. That's why the IP-address of the user's pc has to be written into the log-table.
My problem is, that i do not know how to get it. I have read many articles on help.sap.com, searched in the sap notes, used Google and tried to find usefull functions in our SAP-system, but after two days it still does not work and i do'nt know, what else to try.
At the moment i am able to read the name of the client-pc with my test-coding.
DATA: lv_webgui TYPE xfeld.
STATICS: lv_computer_name TYPE string,
lv_username TYPE string.
CLASS: cl_gui_frontend_services DEFINITION LOAD.
lv_webgui = cl_gui_frontend_services=>www_active.
IF lv_webgui EQ gc_true.
" Begin of experimental coding #1
CALL METHOD cl_gui_frontend_services=>get_computer_name
CHANGING
computer_name = lv_computer_name.
" End of experimental coding #1
" Begin of experimental coding #2
CALL FUNCTION 'ITS_ENV_GET_VARIABLE'
EXPORTING
variable = 'COMPUTERNAME'
CHANGING
value = lv_computer_name.
" End of experimental coding #2
MESSAGE s000(38) WITH lv_computer_name.
ENDIF.
Edited by: Jörg Neumann on Oct 16, 2009 1:27 PM
10-16-2009 2:40 PM
You can get the IP-address via
cl_gui_frontend_services=>GET_IP_ADDRESS
I think the main problem remains.
How to avoid the security warning in Internet Explorer.
As you say. If the do not allow it, then do not allow the transaction...
So, if you do not get an ip-address, then terminate the transaction with an error message.
Documentation from the Method:
Short text: Gets IP Address
Functionality: This method is used to get the IP address.
Parameters
IP_ADDRESS (returning) This string contains the IP address.
Exceptions
CNTL_ERROR A control error occurred.
ERROR_NO_GUI No GUI is available.
NOT_SUPPORTED_BY_GUI This method is not supported by the GUI.
10-16-2009 2:40 PM
You can get the IP-address via
cl_gui_frontend_services=>GET_IP_ADDRESS
I think the main problem remains.
How to avoid the security warning in Internet Explorer.
As you say. If the do not allow it, then do not allow the transaction...
So, if you do not get an ip-address, then terminate the transaction with an error message.
Documentation from the Method:
Short text: Gets IP Address
Functionality: This method is used to get the IP address.
Parameters
IP_ADDRESS (returning) This string contains the IP address.
Exceptions
CNTL_ERROR A control error occurred.
ERROR_NO_GUI No GUI is available.
NOT_SUPPORTED_BY_GUI This method is not supported by the GUI.
10-19-2009 8:35 AM
Hello Tomas.
Thanks for your reply. I have already tested the method
cl_gui_frontend_services=>GET_IP_ADDRESS
but unfortunatelly this method produced a dump because of an uncaught exception (CNTL_ERROR).
Adding
EXCEPTIONS OTHERS = 0.
to the method-call avoids this dump, but the method returns an empty string.
Anyway: Five minutes ago i got the allowance to log computer-name and user-name instead of the ip-address. I still do'nt like the idea of reading data from the client using e.g. javaScript, but as i am not able to find a better way, i'll have to use it for the moment.
If anybody knows, how to get the clients IP-address directly from the ITS, further replies would be highly appreciated.
Regards Jörg Neumann
10-19-2009 8:47 AM
> I have to develop a simple web-application, that will enable users to reset their forgotten passwords or to unlock themselves, if they are locked because of too many failed login-attempts.
> As you can imagine, this application must not require a login. For security reasons any action has to be logged.
Please don't talk of "security" in this context.
The approach you have described is totally insecure - an attacker gains unlimited number of password crack attempts by being able to bypass the lock mechanism. In days of reverse proxies and DHCP an IP address is not worth anything.
>I have have to ...
Better ask back whether this is really intended - and get a written confirmation (for your own sake).
10-19-2009 10:10 AM
> ...an attacker gains unlimited number of password crack attempts by being able to bypass the lock mechanism.
Actually, I would prefer a DoS attack against the services and communication interfaces, perhaps with special attention to this password reset service itself and a longshot at inbound processing having been setup for workflows to reset the password.
If the log is written to the file system, then it might be advisable to first flood the file system full of twitter posts to stop the log.
> In days of reverse proxies and DHCP an IP address is not worth anything.
Oh yes, I would definately hide behind one of those as well.
Cheers,
Julius
10-19-2009 10:28 AM
Hello Wolfgang.
Thanks for your reply.
I can imagine, that the application as described above seems to be very insecure, but the description is not complete - i left some parts out, as they were not relevant for my problem.
1.) The application can only be reached from our intranet.
2.) Unlocking / Resetting password can be done three times per day, which limits the number of attemps for cracking a password to a total of 20 per day.
3.) The owner of the account will receive an email if the acount was changed by the application. So if somebody tries to crack the password, the owner of the account will get a total
20
3 mails per day - which should make him/her at least a litte suspicious.I know, that the logged data is quite worthless, as computername and username are read using clientside-scripting and there could be a proxy between the client and the server, but this is exaclty, what i have to develop.
I will keep the logging-problem in mind and talk about it in the next meeting, though i am quite sure, that it wo'nt change anything.
Regards Jörg Neumann
Edited by: Jörg Neumann on Oct 19, 2009 4:57 PM
10-21-2009 6:42 AM
Hi.
I have also thought about getting such an application due to the fact that the end users tend to forget their passwords.
But I have discovered the wonderwul world of Single Sign On (SSO) and I just want to reflect upon that you are not really solving the problem of users forgetting their passwords, you just introduce new problems, like password hacking etc
Have you at all considered to use SSO? This really means that no passwords are used to logon to SAP.
/fredrik
10-23-2009 1:29 PM
Hello freppe.
We are already using SSO for some of our applications, but unfortunatelly not for SAP.
As i remember, it was planned to use SSO for SAP in the (far) future, but waiting for it is not an option.
Regards Jörg Neumann